spammers are using my server

37 posts / 0 new
Last post
#1 Thu, 11/21/2013 - 17:45
lex

spammers are using my server

Hi,

the mail.log and mail.info files increase in size dramatically fast, and syslog, the mail queue is enormous and the load on the server sometimes shoots up to over 30 before going back to normal levels like 0.5 or so.

I checked the spam mail in the mail queue for the headers, and here's an example:

Received from User (localhost [127.0.0.1]) by penghosting.nl (Postfix) with SMTP id 00B5BA3E6; Thu, 21 Nov 2013 14:59:14 +0000 (GMT)

From "Wells Fargo"online_security_alert@account.com

Subject Wells Fargo - Unread Secured Message !

Date Thu, 21 Nov 2013 08:59:27 -0600

MIME-Version 1.0

Content-Type text/html; charset="Windows-1251"

Content-Transfer-Encoding 7bit

X-Priority 3

X-MSMail-Priority Normal

X-Mailer Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE Produced By Microsoft MimeOLE V6.00.2600.0000

Message-Id 20131121145915.00B5BA3E6@penghosting.nl

Now, "penghosting.nl" is the domain that, sorry, can't remember what it's called, but it's the one that rules them all :)

The name servers that all other servers use are ns1.penghosting.nl and ns2.penghosting.nl

So I don't know, if showing 'penghosting.nl' in the headers of these spam messages means anything.

I checked all the files on penghosting.nl but don't see anything weird.

What should I do?

Thanks!

Thu, 11/21/2013 - 18:10
lex

Somtimes I get this in my mail from lfd:

Time:    Thu Nov 21 14:56:31 2013 +0000
PID:     18209 (Parent PID:3409)
Account: postfix
Uptime:  109 seconds


Executable:

/usr/lib/postfix/smtp


Command Line (often faked in exploits):

smtp -t unix -u -c


Network connections by the process (if any):

tcp: 88.208.193.145:48578 -> 209.188.88.233:25


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/var/spool/postfix/pid/unix.smtp
anon_inode:[eventpoll]
/var/spool/postfix/active/EF399A38A


Memory maps by the process (if any):

7f8b7b61a000-7f8b7b626000 r-xp 00000000 08:06 222396                     /lib/libnss_files-2.11.1.so
7f8b7b626000-7f8b7b825000 ---p 0000c000 08:06 222396                     /lib/libnss_files-2.11.1.so
7f8b7b825000-7f8b7b826000 r--p 0000b000 08:06 222396                     /lib/libnss_files-2.11.1.so
7f8b7b826000-7f8b7b827000 rw-p 0000c000 08:06 222396                     /lib/libnss_files-2.11.1.so
7f8b7b827000-7f8b7b831000 r-xp 00000000 08:06 222399                     /lib/libnss_nis-2.11.1.so
7f8b7b831000-7f8b7ba30000 ---p 0000a000 08:06 222399                     /lib/libnss_nis-2.11.1.so
7f8b7ba30000-7f8b7ba31000 r--p 00009000 08:06 222399                     /lib/libnss_nis-2.11.1.so
7f8b7ba31000-7f8b7ba32000 rw-p 0000a000 08:06 222399                     /lib/libnss_nis-2.11.1.so
7f8b7ba32000-7f8b7ba3a000 r-xp 00000000 08:06 222384                     /lib/libnss_compat-2.11.1.so
7f8b7ba3a000-7f8b7bc39000 ---p 00008000 08:06 222384                     /lib/libnss_compat-2.11.1.so
7f8b7bc39000-7f8b7bc3a000 r--p 00007000 08:06 222384                     /lib/libnss_compat-2.11.1.so
7f8b7bc3a000-7f8b7bc3b000 rw-p 00008000 08:06 222384                     /lib/libnss_compat-2.11.1.so
7f8b7bc3b000-7f8b7bc53000 r-xp 00000000 08:06 222391                     /lib/libpthread-2.11.1.so
7f8b7bc53000-7f8b7be52000 ---p 00018000 08:06 222391                     /lib/libpthread-2.11.1.so
7f8b7be52000-7f8b7be53000 r--p 00017000 08:06 222391                     /lib/libpthread-2.11.1.so
7f8b7be53000-7f8b7be54000 rw-p 00018000 08:06 222391                     /lib/libpthread-2.11.1.so
7f8b7be54000-7f8b7be58000 rw-p 00000000 00:00 0
7f8b7be58000-7f8b7be6e000 r-xp 00000000 08:06 219858                     /lib/libz.so.1.2.3.3
7f8b7be6e000-7f8b7c06d000 ---p 00016000 08:06 219858                     /lib/libz.so.1.2.3.3
7f8b7c06d000-7f8b7c06e000 r--p 00015000 08:06 219858                     /lib/libz.so.1.2.3.3
7f8b7c06e000-7f8b7c06f000 rw-p 00016000 08:06 219858                     /lib/libz.so.1.2.3.3
7f8b7c06f000-7f8b7c071000 r-xp 00000000 08:06 222395                     /lib/libdl-2.11.1.so
7f8b7c071000-7f8b7c271000 ---p 00002000 08:06 222395                     /lib/libdl-2.11.1.so
7f8b7c271000-7f8b7c272000 r--p 00002000 08:06 222395                     /lib/libdl-2.11.1.so
7f8b7c272000-7f8b7c273000 rw-p 00003000 08:06 222395                     /lib/libdl-2.11.1.so
7f8b7c273000-7f8b7c3f0000 r-xp 00000000 08:06 222397                     /lib/libc-2.11.1.so
7f8b7c3f0000-7f8b7c5ef000 ---p 0017d000 08:06 222397                     /lib/libc-2.11.1.so
7f8b7c5ef000-7f8b7c5f3000 r--p 0017c000 08:06 222397                     /lib/libc-2.11.1.so
7f8b7c5f3000-7f8b7c5f4000 rw-p 00180000 08:06 222397                     /lib/libc-2.11.1.so
7f8b7c5f4000-7f8b7c5f9000 rw-p 00000000 00:00 0
7f8b7c5f9000-7f8b7c60f000 r-xp 00000000 08:06 222386                     /lib/libresolv-2.11.1.so
7f8b7c60f000-7f8b7c80e000 ---p 00016000 08:06 222386                     /lib/libresolv-2.11.1.so
7f8b7c80e000-7f8b7c80f000 r--p 00015000 08:06 222386                     /lib/libresolv-2.11.1.so
7f8b7c80f000-7f8b7c810000 rw-p 00016000 08:06 222386                     /lib/libresolv-2.11.1.so
7f8b7c810000-7f8b7c812000 rw-p 00000000 00:00 0
7f8b7c812000-7f8b7c829000 r-xp 00000000 08:06 222392                     /lib/libnsl-2.11.1.so
7f8b7c829000-7f8b7ca28000 ---p 00017000 08:06 222392                     /lib/libnsl-2.11.1.so
7f8b7ca28000-7f8b7ca29000 r--p 00016000 08:06 222392                     /lib/libnsl-2.11.1.so
7f8b7ca29000-7f8b7ca2a000 rw-p 00017000 08:06 222392                     /lib/libnsl-2.11.1.so
7f8b7ca2a000-7f8b7ca2c000 rw-p 00000000 00:00 0
7f8b7ca2c000-7f8b7cb96000 r-xp 00000000 08:06 226000                     /usr/lib/libdb-4.8.so
7f8b7cb96000-7f8b7cd96000 ---p 0016a000 08:06 226000                     /usr/lib/libdb-4.8.so
7f8b7cd96000-7f8b7cd98000 r--p 0016a000 08:06 226000                     /usr/lib/libdb-4.8.so
7f8b7cd98000-7f8b7cd99000 rw-p 0016c000 08:06 226000                     /usr/lib/libdb-4.8.so
7f8b7cd99000-7f8b7cdb2000 r-xp 00000000 08:06 227885                     /usr/lib/libsasl2.so.2.0.23
7f8b7cdb2000-7f8b7cfb1000 ---p 00019000 08:06 227885                     /usr/lib/libsasl2.so.2.0.23
7f8b7cfb1000-7f8b7cfb2000 r--p 00018000 08:06 227885                     /usr/lib/libsasl2.so.2.0.23
7f8b7cfb2000-7f8b7cfb3000 rw-p 00019000 08:06 227885                     /usr/lib/libsasl2.so.2.0.23
7f8b7cfb3000-7f8b7d11b000 r-xp 00000000 08:06 217553                     /lib/libcrypto.so.0.9.8
7f8b7d11b000-7f8b7d31b000 ---p 00168000 08:06 217553                     /lib/libcrypto.so.0.9.8
7f8b7d31b000-7f8b7d328000 r--p 00168000 08:06 217553                     /lib/libcrypto.so.0.9.8
7f8b7d328000-7f8b7d340000 rw-p 00175000 08:06 217553                     /lib/libcrypto.so.0.9.8
7f8b7d340000-7f8b7d344000 rw-p 00000000 00:00 0
7f8b7d344000-7f8b7d391000 r-xp 00000000 08:06 222411                     /lib/libssl.so.0.9.8
7f8b7d391000-7f8b7d590000 ---p 0004d000 08:06 222411                     /lib/libssl.so.0.9.8
7f8b7d590000-7f8b7d592000 r--p 0004c000 08:06 222411                     /lib/libssl.so.0.9.8
7f8b7d592000-7f8b7d598000 rw-p 0004e000 08:06 222411                     /lib/libssl.so.0.9.8
7f8b7d598000-7f8b7d5ce000 r-xp 00000000 08:06 230268                     /usr/lib/libpostfix-util.so.1.0.1
7f8b7d5ce000-7f8b7d7cd000 ---p 00036000 08:06 230268                     /usr/lib/libpostfix-util.so.1.0.1
7f8b7d7cd000-7f8b7d7cf000 r--p 00035000 08:06 230268                     /usr/lib/libpostfix-util.so.1.0.1
7f8b7d7cf000-7f8b7d7d0000 rw-p 00037000 08:06 230268                     /usr/lib/libpostfix-util.so.1.0.1
7f8b7d7d0000-7f8b7d7d1000 rw-p 00000000 00:00 0
7f8b7d7d1000-7f8b7d807000 r-xp 00000000 08:06 230130                     /usr/lib/libpostfix-global.so.1.0.1
7f8b7d807000-7f8b7da07000 ---p 00036000 08:06 230130                     /usr/lib/libpostfix-global.so.1.0.1
7f8b7da07000-7f8b7da0a000 r--p 00036000 08:06 230130                     /usr/lib/libpostfix-global.so.1.0.1
7f8b7da0a000-7f8b7da0b000 rw-p 00039000 08:06 230130                     /usr/lib/libpostfix-global.so.1.0.1
7f8b7da0b000-7f8b7da0f000 r-xp 00000000 08:06 230126                     /usr/lib/libpostfix-dns.so.1.0.1
7f8b7da0f000-7f8b7dc0f000 ---p 00004000 08:06 230126                     /usr/lib/libpostfix-dns.so.1.0.1
7f8b7dc0f000-7f8b7dc10000 r--p 00004000 08:06 230126                     /usr/lib/libpostfix-dns.so.1.0.1
7f8b7dc10000-7f8b7dc11000 rw-p 00005000 08:06 230126                     /usr/lib/libpostfix-dns.so.1.0.1
7f8b7dc11000-7f8b7dc20000 r-xp 00000000 08:06 230135                     /usr/lib/libpostfix-tls.so.1.0.1
7f8b7dc20000-7f8b7de20000 ---p 0000f000 08:06 230135                     /usr/lib/libpostfix-tls.so.1.0.1
7f8b7de20000-7f8b7de21000 r--p 0000f000 08:06 230135                     /usr/lib/libpostfix-tls.so.1.0.1
7f8b7de21000-7f8b7de22000 rw-p 00010000 08:06 230135                     /usr/lib/libpostfix-tls.so.1.0.1
7f8b7de22000-7f8b7de2b000 r-xp 00000000 08:06 230133                     /usr/lib/libpostfix-master.so.1.0.1
7f8b7de2b000-7f8b7e02a000 ---p 00009000 08:06 230133                     /usr/lib/libpostfix-master.so.1.0.1
7f8b7e02a000-7f8b7e02b000 r--p 00008000 08:06 230133                     /usr/lib/libpostfix-master.so.1.0.1
7f8b7e02b000-7f8b7e02c000 rw-p 00009000 08:06 230133                     /usr/lib/libpostfix-master.so.1.0.1
7f8b7e02c000-7f8b7e04c000 r-xp 00000000 08:06 222388                     /lib/ld-2.11.1.so
7f8b7e23a000-7f8b7e243000 rw-p 00000000 00:00 0
7f8b7e249000-7f8b7e24b000 rw-p 00000000 00:00 0
7f8b7e24b000-7f8b7e24c000 r--p 0001f000 08:06 222388                     /lib/ld-2.11.1.so
7f8b7e24c000-7f8b7e24d000 rw-p 00020000 08:06 222388                     /lib/ld-2.11.1.so
7f8b7e24d000-7f8b7e24e000 rw-p 00000000 00:00 0
7f8b7e24e000-7f8b7e269000 r-xp 00000000 08:06 42188                      /usr/lib/postfix/smtp
7f8b7e468000-7f8b7e46b000 r--p 0001a000 08:06 42188                      /usr/lib/postfix/smtp
7f8b7e46b000-7f8b7e46c000 rw-p 0001d000 08:06 42188                      /usr/lib/postfix/smtp
7f8b7e4fb000-7f8b7e51c000 rw-p 00000000 00:00 0                          [heap]
7fff6a6cf000-7fff6a6e4000 rw-p 00000000 00:00 0                          [stack]
7fff6a7ff000-7fff6a800000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Thu, 11/21/2013 - 22:14
andreychek

Howdy,

In the headers, where it says "Received from User " -- does it list the actual "User" there?

If so, that likely means that the website belonging to the User was compromised, and that the spammers are sending spam via it.

As a quick fix, you could always disable the site.

But my recommendation would be to review the various web apps they have installed, and to make sure they're all up to date.

-Eric

Fri, 11/22/2013 - 12:04 (Reply to #3)
lex

Sorry Eric, was so stressed didn't even properly look at your answer.

Yes, I copied it as it said 100%, didn't change a word. It says "User"... Not very helpful I guess, is it?

Fri, 11/22/2013 - 11:58
lex

Ok, I'm in deep troubles now.

In fact, the porblems are bigger because of my own stupid fault. The var partition quickly fille dup, so I checked with ncdu where the big files were. I found some and in stead of quitting ncdu I typed some things I'd normally do in the terminal without looking at the screen. (can't really type blind. Well I can, but tell that to my eyes.)

Anyway, doing so, I deleted some stuff, for example the var/lib/bind and ar/apt folders.

Now, the server kept on running, I guess it's all in it's memory or so. However, today the server wasn't responding, the var partition at 100%, I had to reboot the server but then the real problems started.

the main domain is "penghosting.nl", as that does: ns1.penghosting.nl and ns2 for all the other domains.

before rebooting , a couple of days ago, I noticed that the var/lib/bind forlder had gone. So I created a test server to see what a file like that looks like so I could copy it for the servers already on the system. A normal server looks like this:

$ttl 38400
@ IN SOA ns1.penghosting.nl. root.ns1.penghosting.nl. (
1384611538
10800
3600
604800
38400 )
@ IN NS ns1.penghosting.nl.
@ IN NS ns2.penghosting.nl.
gran-canaria-info.com. IN A 88.208.193.145
www.gran-canaria-info.com. IN A 88.208.193.145
ftp.gran-canaria-info.com. IN A 88.208.193.145
m.gran-canaria-info.com. IN A 88.208.193.145
localhost.gran-canaria-info.com. IN A 127.0.0.1
webmail.gran-canaria-info.com. IN A 88.208.193.145
admin.gran-canaria-info.com. IN A 88.208.193.145
mail.gran-canaria-info.com. IN A 88.208.193.145
gran-canaria-info.com. IN MX 5 mail.gran-canaria-info.com.
gran-canaria-info.com. IN TXT "v=spf1 a mx a:gran-canaria-info.com ip4:88.208.193.145 ?all"
autoconfig.gran-canaria-info.com. IN A 88.208.193.145

but now, I can't even restart apache2, because it can't find the penghosting.nl something.

It's a mess and I don't know what to do.

Am thinking of getting another server and setting it up new and copy sites but hey, that's going to be a lot of work.

Is there something else I could do to get it up and running again?

Thanks!

Fri, 11/22/2013 - 12:00 (Reply to #5)
lex

Forgot to say, can't get to see virtualmin either, not on the "without domainname" ip address either. I guess the apache for virtualmin can't start either.

Fri, 11/22/2013 - 12:15
lex

Ideally, I'd say reinstall bind and virtualmin: recreate all the zone files

or something like that. But I guess it ain't that easy...

fking spammers, & fking me as well ;)

Fri, 11/22/2013 - 13:18
andreychek

Howdy,

Yeah, that does sound like you're in a bit of a pickle :-)

As far as BIND goes -- one thing you could do to re-create some of those zone files is to disable the BIND DNS Domain feature in Edit Virtual Server -> Enabled Features, and then to re-enable it. That will re-generate that file with the default information.

-Eric

Fri, 11/22/2013 - 13:23 (Reply to #8)
lex

But i can't get into virtualmin just yet...

And how do I do that for, what is it called, the master zone? You know, the one that rest use as ns1. and ns2, in my case: penghosting.nl. How do I recreate that one because I think that's the main culprit now...

Thanks!

Fri, 11/22/2013 - 13:36
lex

What would you do if you had this problem?

Thanks!

At least I still got this, as a reference.

The first one is the one that "rules them all"...

named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "penghosting.nl" {
type master;
file "/var/lib/bind/penghosting.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
};
};
zone "gran-canaria-info.com" {
type master;
file "/var/lib/bind/gran-canaria-info.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
};
};
zone "tek-dek-germany.de" {
type master;
file "/var/lib/bind/tek-dek-germany.de.hosts";
allow-transfer {
127.0.0.1;
localnets;
};
};
zone "tek-dek-germany.com" {
type master;
file "/var/lib/bind/tek-dek-germany.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "goedkoopnaarspanje.com" {
type master;
file "/var/lib/bind/goedkoopnaarspanje.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "hollandsenieuwe.com" {
type master;
file "/var/lib/bind/hollandsenieuwe.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "girraween.nl" {
type master;
file "/var/lib/bind/girraween.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "allesoversterrenkunde.nl" {
type master;
file "/var/lib/bind/allesoversterrenkunde.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "journalistinturkey.com" {
type master;
file "/var/lib/bind/journalistinturkey.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "journalistinturkije.nl" {
type master;
file "/var/lib/bind/journalistinturkije.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "alternativaslaluna.org" {
type master;
file "/var/lib/bind/alternativaslaluna.org.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "kornesteeg.nl" {
type master;
file "/var/lib/bind/kornesteeg.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "eigenweg.nu" {
type master;
file "/var/lib/bind/eigenweg.nu.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "bloemlezing.nl" {
type master;
file "/var/lib/bind/bloemlezing.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "coledelvalle.org" {
type master;
file "/var/lib/bind/coledelvalle.org.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "doorads.es" {
type master;
file "/var/lib/bind/doorads.es.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "fotogeorgeburggraaff.nl" {
type master;
file "/var/lib/bind/fotogeorgeburggraaff.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "georgefoto.nl" {
type master;
file "/var/lib/bind/georgefoto.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "hansvandenbroek.com" {
type master;
file "/var/lib/bind/hansvandenbroek.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "realcanaryislands.com" {
type master;
file "/var/lib/bind/realcanaryislands.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "alive.net.nz" {
type master;
file "/var/lib/bind/alive.net.nz.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "living-in-trust.com" {
type master;
file "/var/lib/bind/living-in-trust.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "zeelevencoaching.nl" {
type master;
file "/var/lib/bind/zeelevencoaching.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "alivecoaching.nl" {
type master;
file "/var/lib/bind/alivecoaching.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "waterwoorden.nl" {
type master;
file "/var/lib/bind/waterwoorden.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "deining.org" {
type master;
file "/var/lib/bind/deining.org.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "livinglascanteras.com" {
type master;
file "/var/lib/bind/livinglascanteras.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "frederike.nl" {
type master;
file "/var/lib/bind/frederike.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "puravidacanarias.com" {
type master;
file "/var/lib/bind/puravidacanarias.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "tekensvanleven.nl" {
type master;
file "/var/lib/bind/tekensvanleven.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "escort4womengrancanaria.com.disabled" {
type master;
file "/var/lib/bind/escort4womengrancanaria.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "laguetetrailrun.org" {
type master;
file "/var/lib/bind/laguetetrailrun.org.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "peng.es" {
type master;
file "/var/lib/bind/peng.es.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "photosgrancanaria.com" {
type master;
file "/var/lib/bind/photosgrancanaria.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "beterefotosdoorbeterkijken.nl" {
type master;
file "/var/lib/bind/beterefotosdoorbeterkijken.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "heinekencafe.com" {
type master;
file "/var/lib/bind/heinekencafe.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "ceciledumoulin.com" {
type master;
file "/var/lib/bind/ceciledumoulin.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "penggraphics.com" {
type master;
file "/var/lib/bind/penggraphics.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "minigolfyumbo.com" {
type master;
file "/var/lib/bind/minigolfyumbo.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "minigolfjumbo.com" {
type master;
file "/var/lib/bind/minigolfjumbo.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "naturalmentegrancanaria.com" {
type master;
file "/var/lib/bind/naturalmentegrancanaria.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "kurdishmatters.com" {
type master;
file "/var/lib/bind/kurdishmatters.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "kurtisleri.com" {
type master;
file "/var/lib/bind/kurtisleri.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "elangosto.eu.disabled" {
type master;
file "/var/lib/bind/elangosto.eu.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "laspalmaselectricbike.com" {
type master;
file "/var/lib/bind/laspalmaselectricbike.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "canary-content.com" {
type master;
file "/var/lib/bind/canary-content.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "jimmyschmidt.nl" {
type master;
file "/var/lib/bind/jimmyschmidt.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "canarias-ebike.com" {
type master;
file "/var/lib/bind/canarias-ebike.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "grancanariaebike.com" {
type master;
file "/var/lib/bind/grancanariaebike.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "surfhousepozo.com" {
type master;
file "/var/lib/bind/surfhousepozo.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "pozowindsurf.com" {
type master;
file "/var/lib/bind/pozowindsurf.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "windsurfcampgrancanaria.com" {
type master;
file "/var/lib/bind/windsurfcampgrancanaria.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "ursusmarine.nl" {
type master;
file "/var/lib/bind/ursusmarine.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "georgeburggraaff.nl" {
type master;
file "/var/lib/bind/georgeburggraaff.nl.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "georgephoto.com" {
type master;
file "/var/lib/bind/georgephoto.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "hollandpictures.com" {
type master;
file "/var/lib/bind/hollandpictures.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "bandamagolfhotel.com" {
type master;
file "/var/lib/bind/bandamagolfhotel.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "golfhotelbandama.com" {
type master;
file "/var/lib/bind/golfhotelbandama.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "hotelgolfbandama.com" {
type master;
file "/var/lib/bind/hotelgolfbandama.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "bioagaeteculturalsolidario.org" {
type master;
file "/var/lib/bind/bioagaeteculturalsolidario.org.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "lagart.org" {
type master;
file "/var/lib/bind/lagart.org.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "fakesite.org" {
type master;
file "/var/lib/bind/fakesite.org.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "grancanariacongress.com" {
type master;
file "/var/lib/bind/grancanariacongress.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "testwebsite.com" {
type master;
file "/var/lib/bind/testwebsite.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
zone "fotosgrancanaria.com" {
type master;
file "/var/lib/bind/fotosgrancanaria.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
88.208.193.146;
};
};
Sat, 11/23/2013 - 22:23
andreychek

Hmm, yeah, it certainly makes things a bit more difficult if you can't get into Virtualmin. At least with Virtualmin, you'd be able to perform some restores if you have backups available.

What problem is it that you're having with Virtualmin at the moment?

And does restarting Webmin help? You can do that with this command:

/etc/init.d/webmin restart

Sun, 11/24/2013 - 16:41
lex

That works fine, it stops, then starts, but I get to see nothing. My guess is that apache2 can't start becuase of it not finding information about the "main" domain of the server, but hey, what do I know, I might be completely wrong :)

Is there a log file for the apache that runs webmin?

Mon, 11/25/2013 - 02:47
Locutus

Webmin isn't run thru Apache, but has its own small webserver called miniserv.pl. Its logs go to /var/webmin.

Mon, 11/25/2013 - 04:14 (Reply to #13)
lex

Thanks!

Mon, 11/25/2013 - 04:12
lex

In var/lib/bind are the hosts files for the domains, a 'normal one' looks likes this, right:

$ttl 38400
@ IN SOA ns1.penghosting.nl. root.ns1.penghosting.nl. (
1384611538
10800
3600
604800
38400 )
@ IN NS ns1.penghosting.nl.
@ IN NS ns2.penghosting.nl.
testwebsite.com. IN A 88.208.193.145
www.testwebsite.com. IN A 88.208.193.145
ftp.testwebsite.com. IN A 88.208.193.145
m.testwebsite.com. IN A 88.208.193.145
localhost.testwebsite.com. IN A 127.0.0.1
webmail.testwebsite.com. IN A 88.208.193.145
admin.testwebsite.com. IN A 88.208.193.145
mail.testwebsite.com. IN A 88.208.193.145
testwebsite.com. IN MX 5 mail.testwebsite.com.
testwebsite.com. IN TXT "v=spf1 a mx a:testwebsite.com ip4:88.208.193.145 ?all"
autoconfig.testwebsite.com. IN A 88.208.193.145

What does the one for the "main domain" look like, in the above case, the one for penghosting.nl?

Can anybody post an example? Thanks!

Mon, 11/25/2013 - 05:32 (Reply to #15)
lex

I found an example, I did this:

$ttl 38400
@ IN SOA ns1.penghosting.nl. root.ns1.penghosting.nl. (
1385376458
10800
3600
604800
38400 )
@ IN NS ns1.penghosting.nl.
@ IN NS ns2.penghosting.nl.
penghosting.nl. IN A 88.208.193.145
www.penghosting.nl. IN A 88.208.193.145
ftp.penghosting.nl. IN A 88.208.193.145
m.penghosting.nl. IN A 88.208.193.145
ns1.penghosting.nl. IN A 88.208.193.145
ns2.penghosting.nl. IN A 88.208.193.146
localhost.penghosting.nl. IN A 127.0.0.1
webmail.penghosting.nl. IN A 88.208.193.145
admin.penghosting.nl. IN A 88.208.193.145
mail.penghosting.nl. IN A 88.208.193.145
penghosting.nl. IN MX 5 mail.penghosting.nl.
penghosting.nl. IN TXT "v=spf1 a mx a:penghosting.nl ip4:88.208.193.145 ?all"
autoconfig.penghosting.nl. IN A 88.208.193.145

restarted bind, and now I could restart apache2 as well.

No luck on starting up virtualmin, but at least I can now create manually those hosts file for all the domains and get those up and running which seems now the most important thing.

Mon, 11/25/2013 - 04:43
Locutus

The folder /var/lib/bind only holds the zone files for your BIND domains. It would be easiest to simply toggle the BIND feature in Virtualmin off and on again for all zones, then Virtualmin will recreate all zone files with the proper contents.

You can also do this using the Virtualmin API from a command shell like so:

virtualmin disable-feature --all-domains --dns virtualmin enable-feature --all-domains --dns

provided you actually had DNS enabled for ALL your domains before, otherwise re-enable it individually.

Mon, 11/25/2013 - 04:57 (Reply to #17)
lex

Thanks! I'll try this now.

Mon, 11/25/2013 - 05:06 (Reply to #18)
lex

Thanks Locutus, you saved me a lot of time copying and pasting etc...

The only domains that I'm still having troubles with now are:

server aliases domain (they all seem to point to the default website for an ip in stead of the domain name they're server to point to if you know what i mean)

websites whose domain name is not 100% the same as the directory in home, for example, fdor my website hollandsenieuwe.com I told virtualmin to use hn as the directory name etc, (login etc), so the website

hollandsenieuwe.com

is found in /home/hn/public_html

These don't work either, the homepage is found but none of the (relative) links work.

Somebody knows what I shoudl do?

Thanks yet again!

Mon, 11/25/2013 - 05:39 (Reply to #19)
lex

All the info in /etc/apache2/sites-available/hollandsenieuwe.com.conf seems all right:

<VirtualHost 88.208.193.146:80>
SuexecUserGroup "#1004" "#1004"
ServerName hollandsenieuwe.com
ServerAlias www.hollandsenieuwe.com
ServerAlias webmail.hollandsenieuwe.com
ServerAlias admin.hollandsenieuwe.com
ServerAlias autoconfig.hollandsenieuwe.com
DocumentRoot /home/hn/public_html
ErrorLog /var/log/virtualmin/hollandsenieuwe.com_error_log
CustomLog /var/log/virtualmin/hollandsenieuwe.com_access_log combined
ScriptAlias /cgi-bin/ /home/hn/cgi-bin/
ScriptAlias /awstats/ /home/hn/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/hn/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
<Directory /home/hn/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.hollandsenieuwe.com
RewriteRule ^(.*) https://hollandsenieuwe.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.hollandsenieuwe.com
RewriteRule ^(.*) https://hollandsenieuwe.com:10000/ [R]

etc...

Mon, 11/25/2013 - 04:50
lex

I've got the first sites up and running, but am having problems with domain names that are aliases for other domains.

Does anybody have a .hosts example for an alias domain?

Thanks!

Mon, 11/25/2013 - 05:19 (Reply to #21)
lex

Somebody here has the same problem, but through other causes:

https://www.virtualmin.com/node/24981

So I guess I should see if I can get virtualmin up and running somehow, anybody an idea what I could try to get it up and running (restarting webmin works, but I can't reach it online)?

Mon, 11/25/2013 - 06:41
Locutus

Take a look at the Apache error logs, to find out where the relative links point to. Without concrete example I can't say much more.

Mon, 11/25/2013 - 08:12
andreychek

I agree Lex, you might find this a bit easier to fix if you could access Virtualmin, and just re-generate some of those files, and/or access your backups.

After starting Webmin, do you see any errors in /var/webmin/miniserv.error?

Also, what is the output of this command:

netstat -an | grep :10000

-Eric

Mon, 11/25/2013 - 08:53
lex

Thanks people!

Here's the output from netstat:

tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:10000           0.0.0.0:*

I just restarted webmin now, and in the error log, I see:

[25/Nov/2013:14:39:50 +0000] miniserv.pl started
[25/Nov/2013:14:39:50 +0000] Using MD5 module Digest::MD5
[25/Nov/2013:14:39:50 +0000] PAM authentication enabled
Mon, 11/25/2013 - 09:56
lex

This server, is supposed to be an alias of peng.es

There is nothing in this here telling everybody that that is the case:

$ttl 38400
photosgrancanaria.com. IN SOA ns1.penghosting.nl. root.ns1.penghosting.nl. (
1385376454
10800
3600
604800
38400 )
photosgrancanaria.com. IN NS ns1.penghosting.nl.
photosgrancanaria.com. IN NS ns2.penghosting.nl.
photosgrancanaria.com. IN A 88.208.193.146
www.photosgrancanaria.com. IN A 88.208.193.146
ftp.photosgrancanaria.com. IN A 88.208.193.146
m.photosgrancanaria.com. IN A 88.208.193.146
localhost.photosgrancanaria.com. IN A 127.0.0.1
webmail.photosgrancanaria.com. IN A 88.208.193.146
admin.photosgrancanaria.com. IN A 88.208.193.146
mail.photosgrancanaria.com. IN A 88.208.193.146
photosgrancanaria.com. IN MX 5 mail.photosgrancanaria.com.
photosgrancanaria.com. IN TXT "v=spf1 a mx a:photosgrancanaria.com ip4:88.208.193.145 ip4:88.208.193.146 ?all"
autoconfig.photosgrancanaria.com. IN A 88.208.193.146

How is it supposed to work?

Mon, 11/25/2013 - 09:59
lex

About not being able to see virtualmin: over links (in a terminal) it does work and asks me to login.

Mon, 11/25/2013 - 10:01
lex

Which got me thinking, and yes, I needed to do this:

iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 20000 -j ACCEPT

Now I'm in.

Mon, 11/25/2013 - 10:05
lex

Ok, if via virtualmin I 'preview' the website, I get to see the sitre that I'm supposed to see.

https://88.208.193.145:10000/virtual-server/link.cgi/88.208.193.146/http...

In the real world however, I still ge to see the 'default domain for this ip' (88.208.193.146) which is a complete different website.

What what you guys and girls do now?

(out of ideas)

Mon, 11/25/2013 - 10:08
Locutus

Alias-servers get their own BIND zone too, so it's not incorrect that your "photosgrancanaria.com" has one. Are you seeing any problems with it? You need to be more specific in what problems you have precisely, as opposed to making post after post, telling us what stuff you do and try.

At some point, if you can't get your machine working again, it might be easier to restore a backup. Trying to remotely fix all problems that arose due to your deleting part of /var is probably beyond the scope of this forum.

Mon, 11/25/2013 - 10:33
lex

Ok thanks Locutus,

I don't have a good backup, as I didn't know what exactly to backup. I'll learn that after this all working again.

By the way, I might be over-posting :), but I'm doing that so if somebody else ever has a similar problem they might find something they're looking for.

Ok, so I'm left with this main problem:

servers that are aliases of other servers, are not showing the site they should but in stead they show the main server for that ip. If I change the main server for that ip, then that's the site shown.

The same goes for sites, in which I created a custom username. For example, the site www.hollandsenieuwe.com shows the default website for that ip address as well, and for that site I created the custom username: hn (what normally would have been hollandsenieuwe) when I set it up.

Sorry if I haven't been very clear...

Mon, 11/25/2013 - 12:40
Locutus

Easiest solution might be, if it's not too many, to delete and re-create the alias servers. Since they don't have many settings to configure, that should go quite quickly.

Mon, 11/25/2013 - 13:24
lex

Good thinking, thanks!

Same thing happens. So the deleted stuff (early in the var partition) must have to do with it, but it became only obvious after restarting bind9, or at least, after rebooting.

Which is going to make this more complicated I guess.

In /var/bind I have now all the hosts files. Is there something near, that I've deleted too and that's necessary for these aliases to work?

I really am sorry for all the help I'm asking. I'll make sure I'll start to learn about how to best backup this kind of stuff.

Mon, 11/25/2013 - 13:35
lex

And here everything seems as it should be: the hollandsenieuwe.com.conf in /etc/apache2/sites-available looks as it should do to me, with the "hn" in stead of the "hollandsenieuwe".

Mon, 11/25/2013 - 14:34
andreychek

What is the output of this command:

grep -i virtualhost /etc/apache2/sites-enabled/*.conf

That will show the IP/port used for the various Apache configs... maybe something in there will stick out as a problem.

-Eric

Mon, 11/25/2013 - 15:00
lex

Thanks Eric, looks all pretty normal. Shows all the "real" domains (not the aliases), with either one of the two ip's I use on the server, like this:

/etc/apache2/sites-enabled/peng.es.conf:<VirtualHost 88.208.193.146:80>
/etc/apache2/sites-enabled/peng.es.conf:</VirtualHost>

But then all of them...

Mon, 11/25/2013 - 16:36
lex

Ok, I didn't do anything, but everything works all of a sudden. I don't know what caused that, some dns caching going on or so? (I did restart bind and apache all the time, but hey)

Anyway, I'm not complaining.

First of all, before going to bed: THANKS A LOT everybody! It really is good to know there's a place where I can come with my silly server problems.

I was just checking up backing up in the cloud plans, and they are really cheap, but then they have little statements that if they find out you're a business you have to take a business plan...

But if somebody wants 35% discount from justcloud, here you go: https://secure.justcloud.com/?scoup=35off#ic

Tomorrow I'll try and see if I can do something about the original subject here, the spammers.